Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportCitrix NetScaler is actively being exploited to exploit CVE-2026-3055, a critical SAML flaw that enables attackers to leak sensitive memory data via crafted requests without authentication. The CVE-2026-3055 issue can expose session tokens and other confidential information, making it highly dangerous for internet-facing systems. Additionally, CVE-2026-4368 introduces a session mix-up risk that could enable session hijacking in specific configurations. With exploitation of CVE-2026-3055 already observed in the wild since March 23, 2026, organizations should urgently apply patches and review their NetScaler deployments. CVE-2026-3055 affects Citrix NetScaler ADC and Citrix NetScaler Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23, including FIPS and NDcPP builds, with a CVSS 4.0 score of 9.3. CVE-2026-3055 has been added to CISA KEV catalog.
Citrix has released fixes for a critical vulnerability affecting NetScaler ADC and NetScaler Gateway (CVE-2026-3055), an out-of-bounds memory read issue (CWE-125) within the SAML authentication processing logic. The CVE-2026-3055 flaw originates from a custom XML parsing implementation written in C, where improper input validation allows specially crafted SAML or WS-Federation requests to bypass integrity checks. When key attributes, such as AssertionConsumerServiceURL, are missing from authentication requests sent to endpoints, the NetScaler appliance fails to validate their presence before accessing memory in CVE-2026-3055 exploitation.
Instead of rejecting these malformed requests, the CVE-2026-3055 vulnerable system reads from uninitialized or previously freed memory and returns the exposed data to the requester, encoded within a Base64 NSC_TASS cookie. This CVE-2026-3055 behavior significantly increases the risk of sensitive information leakage from process memory, including session tokens and confidential data from internet-facing NetScaler systems.
The CVE-2026-3055 vulnerability impacts NetScaler ADC and Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23, including FIPS and NDcPP builds. CVE-2026-3055 exploitation is limited to appliances configured as SAML Identity Providers, but the risk remains substantial due to the flaw’s network accessibility, low complexity, and lack of authentication requirements, reflected in its CVSS 4.0 score of 9.3. Reports have already confirmed in-the-wild CVE-2026-3055 exploitation shortly after disclosure on March 23, 2026, reinforcing the need for immediate patching.
Alongside CVE-2026-3055, Citrix also addressed CVE-2026-4368, a race condition vulnerability (CWE-362) affecting session handling in specific NetScaler Gateway and AAA configurations. This CVE-2026-4368 flaw can lead to session mix-ups, potentially allowing one user to access another’s session data. While CVE-2026-4368 impact is limited to version 14.1-66.54 and requires partial authentication, it still poses a meaningful risk in multi-user environments.
Together, CVE-2026-3055 and CVE-2026-4368 highlight systemic gaps in input validation and concurrent session handling in Citrix NetScaler, underscoring the importance of promptly applying updates and auditing authentication configurations to prevent exposure. Anyone using CVE-2026-3055 affected versions must apply the necessary patches urgently to protect against active exploitation.
Upgrade all affected NetScaler ADC and NetScaler Gateway appliances to the latest patched versions without delay. The fixed versions are 14.1-66.59 and later for the 14.1 branch, 13.1-62.23 and later for the 13.1 branch, and 13.1-37.262 and later for 13.1-FIPS and 13.1-NDcPP builds. Given confirmed active exploitation of CVE-2026-3055, this should be treated as an emergency patching activity with the highest priority. Organizations on build 14.1-66.54 should upgrade immediately to also address CVE-2026-4368.
For CVE-2026-3055, inspect the NetScaler configuration for add authentication samlIdPProfile to determine SAML IDP exposure. For CVE-2026-4368, check for add authentication vserver (AAA) or add vpn vserver (Gateway). Note that CVE-2026-4368 only affects build 14.1-66.54, organizations on other versions are not exposed to the race condition but remain in scope for CVE-2026-3055 if running affected versions.
Review /var/log/ns.log on affected appliances for anomalous SAML-related error messages, particularly entries referencing unexpected or empty ProtocolBinding or ACSURL values. Unusual patterns of POST requests to /saml/login or GET requests to /wsfed/passive?wctx with missing parameter values should be investigated as potential CVE-2026-3055 exploitation attempts.
After applying the CVE-2026-3055 patches, invalidate all active user and administrative sessions on the appliance. If CVE-2026-3055 exploitation cannot be ruled out, rotate all credentials that may have been exposed through the appliance, including administrative passwords and any session tokens for downstream applications that were processed through the NetScaler.
Establish a continuous vulnerability management process that prioritizes the timely assessment and remediation of critical vulnerabilities like CVE-2026-3055 in internet-facing appliances. Maintain an accurate inventory of all NetScaler appliance versions and configurations, subscribe to Citrix security bulletins for timely notification of future advisories, and evaluate the ongoing security posture of third-party network appliances as part of your organization’s risk management framework.
Initial Access:
Credential Access:
Collection:
Lateral Movement:
Resource Development:
Get through updates and upcoming events, and more directly in your inbox